Random users unable to auth to domain

Unanswered Question

In our environment, certain random users are unable to authenticate to the domain via wireless; however, the users can login just fine when wired in. Current WLAN setup is:


Cisco ACS 4402

WPA2-Enterprise/LEAP

24 Cisco Aironet APs

2 Cisco WCS appliances

Pre-Auth enabled

Fast Roam enabled


Security Audit events on the ACS give the following Failure Audit:



Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 680

Date: 4/27/2010

Time: 10:45:34 AM

User: NT AUTHORITY\SYSTEM

Computer: MGRMC-WCS

Description:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account:axxxx.bxxxxxr

Source Workstation: CISCO

Error Code: 0xC0000064


During the login sequence (after entering in username), Pre-Auth seems to kick in, assigning an IP to the laptop. After it does that, however, it comes back and says that the Domain is not available for these certain users. Logging in with another account (domain admin or other standard user) connects just fine and authenticates properly.


When looking at events on the WCS, I found the following:



Client '00:21:6a:28:56:4c ([email protected], 10.172.1.14)' which was associated with interface '802.11b/g' of AP 'AP102' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.


I don't believe we have 802.1X enabled, but how do I verify for sure? I've inherited this system, so not all knowledge of it has been given to me. Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dancampb Wed, 04/28/2010 - 09:59
User Badges:
  • Cisco Employee,

The client exclusion on the controller is because the Radius server failed the client's authentication three times.  If you turn off client exclusion on the WLAN you won't see this anymore.


The main issue is that your radius server is failing the authentications.  If you look up the error code (0xC0000064) it says that the specified user doesn't exist.  The error says the user is trying to logon is axxxx.bxxxxxr.  Does this account exist in AD?


 

dancampb Wed, 04/28/2010 - 10:12
User Badges:
  • Cisco Employee,

You might want to check you group mappings in ACS to make sure it is searching the correct groups in AD for these users.

dancampb Wed, 04/28/2010 - 10:22
User Badges:
  • Cisco Employee,

The issue isn't on the controller, its between ACS and AD.  The controller is proxying the EAP packets between the client and ACS.


To check the group mappings you would go under the External User Database  - Database Group Mappings - Windows Database

OK, I can't find anywhere for external database settings on the server. When trying to go to AAA settings, I get this:



As a broad view, I notice that the controllers' Audit Status says "Mismatch":



Under Local EAP, there are no profiles set. Here are some other screenshots of the setup. Like I said, I inherited it. A vendor installed it. I am pretty certain it wasn't done correctly.


Okay, looking under Windows Database, all that is listed is \DEFAULT. I would assume that I need to make a new configuration that points to our domain, so I'm going through that process. If I want to allow all domain users access, I should just choose "Users", correct? I don't see "Authenticated Users", so "Users" is my next logical choice. Under that, for ACS Group choice, do I choose Default, or do I choose a group? And with the groups, do I have to maintain those or are they akin to permission levels on a switch or router?

OK, so now I have the ACS actually POINTING to our domain (I still don't know how it's worked up to this point, but whatever), the next question along the same line is:


We do have the occasional person's laptop that just up and disconnects, somewhat randomly. Case in point, a co-worker here in the office will be working along just fine, but suddenly his laptop starts to reconnect to the network and never will authenticate back without having to reboot (and sometimes that doesn't even work). Looking at the "Passed Authentications" report on the ACS, it looks like users that are logged in are doing a re-auth at fairly regular intervals. I'm thinking that, since the ACS wasn't looking in the right place (or ANY place, actually) for users, perhaps users' accounts that are trying to re-auth suddenly can't be found and therefore get dropped and/or temporarily banned. Does that sound logical?

Actions

This Discussion

 

 

Trending Topics - Security & Network